The following post is a rough outline to GDPR compliance and must not be used as an official guideline. You may want to appoint legal counsel to ensure that you are GDPR compliant.
What is GDPR?
If your company is based within the European Union, or if you have European clients, this may prove to be a useful read. If you didn’t already know, 25th May 2018 was the official deadline to become GDPR compliant.
First of all, what is GDPR? The General Data Protection Regulation is a regulation that unifies data protection laws across the European Union. This means that we all need to ensure that the way we store personal data (for our employees and customers), within our company, follows this new legislation.
How do you know if you need to be GDPR compliant?
If your company falls under the following checklist, then you must take action immediately.
- If you manage personal data of EU residents, both customers and employees.
- If you process data of EU residents in order to offer them goods.
- If you monitor customer or user behavior in the EU.
Is data sensitive or personal? What is the difference?
Sensitive data is the type of data that discloses your ethnic background, sexual orientation, religion, health, financial status and political opinion. As opposed to personal data, such as, email addresses, full names, where you live, which country and so on. Don’t be mistaken in thinking that GDPR only applies to sensitive data, it doesn’t. Any type of information that is stored on a person, sensitive or personal will need to comply with GDPR rules.
Are you a data controller or a processor?
Either way, it doesn’t matter! With previous laws, only a data controller could have been held liable for a breach of data protection. With GDPR, both a data controller or processor can be held liable.
What is at stake for breaching this regulation?
There is a pretty hefty fine for breaching this regulation, so if you are not yet GDPR compliant, you might want to get yourself into gear! Fines can reach up to €20M or 4% of your global annual turnover (I can’t decide which is worse, can you?) in addition to being liable for the damages made. So, let’s take it seriously!
What do you need to do to be GDPR compliant?
According to Chapter 1, Article 5 of the General Data Protection Regulation, the following points are the most important to follow when it comes to handling personal data.
Lawfulness, fairness and transparency: Data needs to be processed lawfully, fairly and in a transparent manner.
Purpose limitation: To be collected for a purpose and used for that purpose only.
Data minimization: Only collect what you need! It must be relevant to the purpose.
Accuracy: Data must be accurate and up to date. If it’s not, securely delete it!
Storage limitation: Data should only be stored for as long as it is needed (remember that purpose?).
Integrity and confidentiality: Use appropriate technical/organizational security measures to ensure that you don’t lose it, damage it or let someone else get their hands on it.
Your clients have the right to their data: If they want it deleted, you have to delete it.
Consent: You may need to provide evidence that you had full consent when obtaining data. Pre-ticked boxes are a big no-no. A person will need to opt-in to sharing their data, not opt-out.
Data breach procedures: It is a good idea to have a procedure in place to detect, report and investigate a data breach. You will have up to 72 hours to officially report it to the data protection authorities.
Organizational measures: Who is in charge? You will need to appoint a data protection officer and introduce official technical measures.
Third parties: If you have any third party providers that have access to your stored data, you will need to ensure that they have the procedures in place to comply with GDPR.
What does GDPR have to do with emails and SMTP2GO?
Even more so now than ever, an up to date 100% opt-in mailing list is a MUST to be able to comply with GDPR. We have always enforced this within our terms of service, and we will continue to do so. All email marketers will need to ensure that the way they collect and store data complies with GDPR and that they delete and update their data as and when requested.
If you were wondering if you can still use SMTP2GO now that GDPR has been introduced, then the answer is, yes! You will be able to continue using SMTP2GO as a third party provider without having to worry about breaching this new regulation. One of the ways that we can ensure you stay GDPR compliant is to assure that your emails are sent via our European servers.
Use encryption to keep safe!
Encryption is one of the technical measures recommended to certify that your company is GDPR compliant. If there is a server-side data breach or leak, encryption will ensure that the leaked data is unreadable to whoever gets their hands on it. If the stolen Healthcare data of more than half of Norway’s population on 8th January 2018 isn’t enough to scare you, then nothing will.
If you are already an SMTP2GO user, you can find our Data Processing Agreement under ‘Edit Account’ within your SMTP2GO Dashboard. If not, feel free to ask our support Agents any questions you may have.